Encrypting ASP.NET appSettings Web.Config File
It is recommended to encrypt the AppSettings key in the ASP.NET Web.Config file for security reason. The simplest method is using aspnet_regiis.exe command-line utility; this command-line utility is available from .NET 2 Framework or higher, for this blog I will be using .NET Framework 4.0.
aspnet_regiis.exe
The location of aspnet_regiis.exe command-line utility is:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Encryption
To encrypt the appSettings key at the command-line:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe ?pef appSettings “c:\project\directory” -prov “DataProtectionConfigurationProvider”
- Specify the full path to aspnet_regiis.exe command-line utility
- Use -pef appSettings to set the appSettings key
- Use -prov “DataProtectionConfigurationProvider”
.NET Framework 4.0 has two built-in providers for encrypting the appSettings key in ASP.NET Web.Config file:
- DataProtectionConfigurationProvider Windows data protection API (DPAPI)
- RSAProtectedConfigurationProvider RSA encryption
The simplest provider to use is the DataProtectionConfigurationProvider, there are no RSA keys to be created and setup, with the DataProtectionConfigurationProvider it’s server -specific.
When copying the Web.Config file from your development environment, encrypt the appSettings key on the server using DataProtectionConfigurationProvider provider otherwise the appSettings key will not be decrypted correctly.
The RSAProtectedConfigurationProvider RSA encryption, the RSA keys can be copied from development environment to server without change.
Decryption
To decrypt the appSettings key at the command-line:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pdf appSettings “c:\project\directory ”
- Specify the full path to aspnet_regiis.exe command-line utility
- Use ?pdf appSettings to set the appSettings key
C# Example reading appSettings Key
With this example the appSettings key is read and decrypted automatically:
using System.Configuration; using System.Web.Configuration; private void EncryptAppSettings() { Configuration objConfig = WebConfigurationManager.OpenWebConfiguration( Request.ApplicationPath); AppSettingsSection objAppsettings = (AppSettingsSection)objConfig.GetSection("appSettings"); if (!objAppsettings.SectionInformation.IsProtected) { objAppsettings.SectionInformation.ProtectSection ("DataProtectionConfigurationProvider"); objAppsettings.SectionInformation.ForceSave = true; objConfig.Save(ConfigurationSaveMode.Modified); } }
Links
ASP.NET IIS Registration Tool (Aspnet_regiis.exe)
http://msdn.microsoft.com/en-us/library/k6h9cz8h%28v=vs.100%29.aspx
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
http://msdn.microsoft.com/en-us/library/ff647398.aspx
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
http://msdn.microsoft.com/en-us/library/ms998283.aspx
DpapiProtectedConfigurationProvider Class
http://msdn.microsoft.com/en-us/library/system.configuration.dpapiprotectedconfigurationprovider%28v=vs.100%29.aspx
RsaProtectedConfigurationProvider Class
http://msdn.microsoft.com/en-us/library/system.configuration.rsaprotectedconfigurationprovider%28v=vs.100%29.aspx